Use-After-Free Vulnerability in libcurl Affecting HTTP/2 Streaming
CVE-2026-10536
Currently unrated
What is CVE-2026-10536?
A use-after-free vulnerability occurs in libcurl that arises when an application configures an HTTP/2 stream-dependency tree using CURLOPT_STREAM_DEPENDS or CURLOPT_STREAM_DEPENDS_E, followed by invoking curl_easy_reset() and subsequently terminating the handle with curl_easy_cleanup(). During the cleanup process, libcurl attempts to access an internal structure that has already been freed during the reset operation, which can potentially lead to unspecified unauthorized actions.
Affected Version(s)
curl 8.20.0
curl 8.19.0
curl 8.18.0
